A group of Russian security researchers released Some days ago who have successfully extracted the secret key that processors use Intel to encrypt updates with the help of exploit that could have major consequences on the way chips are used and possibly how they are protected.
Maxim goryachy and the researchers Dmitry Sklyarov and Mark Ermolov from Positive Technologies, exploited a critical vulnerability that Ermolov and Goryachy found in the Intel management engine in 2017.
As such, the flaw that they take advantage of allows access to the debugging of the microcode, which will later be used as a means to update the processors in case of vulnerabilities or low-level changes in functionality.
The key used to decrypt microcode updates provided by Intel to fix security vulnerabilities and other types of bugs.
However, have a decrypted copy of an update could allow hackers to reverse engineer and learn precisely how to exploit the flaw that the update fixes.
The key too may allow third parties other than Intel, Like a hacker or anyone with the right tools or knowledge, please update the chips with your own microcode (although they mention that this custom version will not survive the system reboot).
About the ruling
It was three years ago when researchers Goryachy and Ermolov discovered a critical vulnerability in Intel Management Engine, indexed as Intel SA-00086, which allowed them to run whatever code they wanted inside the Intel CPU-dependent kernel.
They mention that,an that Intel released a patch to fix the bug, it could still be exploited, since CPUs can be reverted to a previous firmware version without the fix.
However it was until just a few months ago (at the beginning of the year) that the research team was able to use the vulnerability they found to unlock a service mode built into Intel chips called the "Red Pill Chip" that its engineers use to debug microcode. Goryachy, Ermolov, and Sklyarov later named their tool for accessing the Chip Red Pill debugger in a reference to The Matrix.
By accessing one of Intel's Goldmont-based CPUs in Chip Red Pill mode, the researchers were able to extract a special ROM area called the MSROM (Microcode ROM Sequencer).
Then, reverse engineered the microcode and after months of analysis, they were able to extract the RC4 key used by Intel in the update process.
However, the researchers were unable to discover the signing key used by Intel to cryptographically prove whether an update is authentic or not.
They mention that:
“The problem described does not represent a security exposure for customers, and we do not rely on obfuscation of the information behind the red unlock as a security measure. In addition to the INTEL-SA-00086 mitigation, OEMs following Intel's manufacturing guidance have mitigated the OEM-specific unlock capabilities required for this investigation. The private key used to authenticate the microcode does not reside on silicon, and an attacker cannot upload an unauthenticated patch to a remote system '.
"There's a misconception that modern CPUs are mostly factory set and will sometimes receive limited-scope microcode updates for especially egregious bugs," Kenn White, director of product security at MongoDB, told me. "But as long as that is true (and to a large extent it is not), there are very few practical limits to what an engineer could do with the keys to the kingdom for that silicon."
As such, researchers also see the silver lining. to take advantage of the flaw, as it could be a means for those who want to root their CPU (in the same way that people have jailbroken or rooted iPhone and Android devices or hacked Sony's PlayStation 3 console) and thus be able to add or unlock some characteristics, since for example you have the reference of the blocked cores of some series of processors.
Source: https://arstechnica.com
If this continues, INTEL will go into a total tailspin… No one will want to keep using their processors.